This invention relates generally to controlling access to resources, such as information, in an information system of an enterprise, and more particularly to controlling access to information using varied multi-conditional, multi-functional policies defined and expressed in accordance with the XACML standard and language.
An information system usually provides an access control facility that controls access to the information resources managed by the system. Such a facility manages a collection of access control policies that are created by resource owners or authorized administrators. When the system receives a request by a user for access to a protected information resource, all applicable access control policies in effect must be evaluated to determine whether the user's request should be permitted or denied. For a large information system, as of an enterprise, a major challenge is to perform this process efficiently, especially for a request that involves many resources such as a query that may examine or return hundreds of thousands, or more, protected resources, and for access policies that may be quite varied and multi-conditional. An access control facility based upon the known access control list (ACL) approach which controls access based upon user identifiers is ill-suited for such an application, as it is document centric and cannot easily handle different conditions.
The OASIS eXtensible Access Control Markup Language (XACML) affords a standardized representation for an access control policy and an access control decision request/response language. It enables externalization of decision calculation for access requests based on XACML policies, thereby allowing reuse of decision logic. The XACML v2.0 specification is available from OASIS (Organization for the Advancement of Structured Information Standards). The XACML policy language is highly expressive and extensible and can accommodate fine-grained access control making it highly advantageous for access control in an information management system requiring a varied, multi-conditional access policy. However, evaluation of XACML policies is time consuming. Because of XACML's generality and extensibility, a brute-force evaluation of XACML policies is highly inefficient, especially when a large number of resources are involved such as in the case of a query request. Since access control performance is critical in information systems, the advantages afforded by XACML's generality and extensibility are offset by the poor performance of known XACML policy evaluation approaches in large enterprises.
It is desirable to provide access control facilities comprising systems and methods that take advantage of the extensibility and generality of XACML while addressing the foregoing and other problems, by affording efficiently evaluation of XACML policies and high performance access control facilities based thereon. It is to these ends that the present invention is directed.